Skip to main content

SSL/TLS OpenVPN with HMAC Authenication

These instructions work on CentOS 6.x, Debian 6.x, Knoppix 6.x and probably other Linux distributions. (Easy-RSA and files kept in the directory /usr/share/doc aren't always available.) How the OpenVPN service runs on the server depends on how the service is configured to accept connections from clients. Additionally, clients have to be configured to communicate with that specific service. 

Server Instructions
1. Generate a RSA private key of 1024 bits encrypted using triple DES:
openssl genrsa -des3 -out ca.key 1024;


2. Generate a new certificate signing request using your RSA private key:
openssl req -new -key ca.key -out ca.csr;


3. Generate a self-signed root certificate that expires in 365 days:
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt;
cp ca.crt /etc/openvpn/keys;
scp ca.crt root@<client hostname>:/etc/openvpn/keys;


4. Generate a certificate file and a key file for the server, sign it with the root certificate key:
openssl req -new -keyout server.key -out server.csr;
openssl x509 -req -days 90 -in server.csr -signkey ca.key -out server.crt;
mv server.key server.crt /etc/openvpn/keys;


5. Generate a certificate file and a key file for each client, sign it with the root certificate key:
openssl req -new -keyout client.key -out client.csr;
openssl x509 -req -days 30 -in client.csr -signkey ca.key -out client.crt;
scp client.crt client.key root@<client hostname>:/etc/openvpn/keys; 


6. Generate a static key to work with SSL/TLS certificates for HMAC authenication:
openvpn --genkey --secret hmac.key
cp hmac.key /etc/openvpn/keys;
scp hmac.key root@<client hostname>:/etc/openvpn/keys;


7. Create the configuration file "server.conf" of the OpenVPN service in the directory "/etc/openvpn":
touch /etc/openvpn/server.conf;
echo "local <private address>
port 1194
proto udp
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
secret /etc/openvpn/keys/hmac.key
server <network id of private network> <subnet mask>
keepalive 10 120
tls-auth hmac.key 0
comp-lzo
max-clients 5
user <user owner of tunnel>
group <group owner of tunnel>
status /var/log/openvpn/openvpn-status.log
verb 4
mute 10" > /etc/openvpn/server.conf;


8. Create the configuration file "tun0.conf" for the tun device of the OpenVPN service in the directory "/etc/openvpn":
touch /etc/openvpn/tun0.conf;
echo "dev tun0
ifconfig <server ip address> <client ip address>
secret /etc/openvpn/keys/hmac.key" > /etc/openvpn/tun0.conf; 


9. Enable kernel IP forwarding in the server:
echo '1' > /proc/sys/net/ipv4/ip_forward;
sysctl net.ipv4.ip_forward=1;


10. Automatically start your OpenVPN service on boot up:
update-rc.d openvpn <options>;


11. Edit the file "/etc/hosts.allow" that's the hosts access control list for allowing access to services on your server from specific hostnames, IP addresses, networks, and FQDNs:
<service or wildcard>: <hostname> <ip address>/<subnet mask> <fqdn>


12. Edit the file "/etc/hosts.deny" that's the hosts access control list for denying access to services on your server from specific hostnames, IP addresses, networks, and FQDNs:
<service or wildcard>: <hostname> <ip address>/<subnet mask> <fqdn>


13. Start the OpenVPN service:
service openvpn start;


14. Forward client connections to your OpenVPN service through your routed IP tunnel device "tun0":
iptables -A INPUT -i <interface> -p udp --dport 1194 -j FORWARD;
iptables -A FORWARD -i <interface> -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT;
iptables -A FORWARD -o <interface> -s <private network>/<prefix length> -j ACCEPT;
iptables -t nat -A POSTROUTING -o <interface> -s <private network>/<prefix length> -j MASQUERADE;  


Client Instructions
1. Create the configuration file "client.conf" of the OpenVPN service in the directory "/etc/openvpn":
touch /etc/openvpn/client.conf;
echo "client
dev tun0
proto udp
ns-cert-type server
remote <server address> 1194
resolve-retry infinite
nobind
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
secret /etc/openvpn/keys/hmac.key
comp-lzo
verb 4" > /etc/openvpn/client.conf;


2. Create the configuration file "tun0.conf" for the tun device of the OpenVPN service in the directory "/etc/openvpn":
touch /etc/openvpn/tun0.conf;
echo "dev tun0
ifconfig <client ip address> <server ip address>
secret /etc/openvpn/keys/hmac.key" > /etc/openvpn/tun0.conf;


3. Check the client's configuration file for errors:
openvpn --config client.conf;


4. Add new routes to the OpenVPN service on the client:
ip route add <server ip address> via <gateway ip address> dev <outgoing interface> proto static;
ip route change default via <client tun0 ip address> dev tun0 proto static;


5. Allow outgoing client connections to the OpenVPN through your firewall:
iptables -A INPUT -i <interface> -p tcp --sport 1194 -j ACCEPT
iptables -A OUTPUT -o <interface> -p tcp --dport 1194 -j ACCEPT 

Do you have a suggestion about how to improve this blog? Let's talk about it. Contact me at David.Brenner.Jr@Gmail.com or 720-584-5229.

Comments

Popular posts from this blog

The meaning of time in reinforcement learning

Reinforcement learning (RL) is one of three basic machine learning paradigms, alongside supervised learning and unsupervised learning. Reinforcement learning is concerned with how software agents ought to take actions in an environment in order to maximize the notion of cumulative reward through the process of trial and error. In reinforcement learning an agent starts at an empty state then analyzes the available datasets according to a policy of positive states and negative states. Rather than being explicitly taught as in supervised learning the correct set of actions for performing a task, reinforcement learning uses rewards as signals for positive states and punishments as signals for negative states. The agent obtains the best path to a desirable reward as a cumulation of positive states and negative states. As compared to unsupervised learning, reinforcement learning is different in terms of goals. While the goal in unsupervised learning is to find similarities and differences...

Old idea of encrypted, anonymous group chats

Encrypted, Anonymous Group Chats An owner of the chat connects through multiple VPNs, like NordVPN and SurfShark which are the most popular. Then the owner obtains access to an email provider hosted in a country outside the United States. Once the new email account has been setup and ready to use, the owner shares the login username and login password of that email account with the participants. The idea is to never send/receive any emails, only exchange messages saved as drafts in the email account. The drafts don't get sent/received anywhere. It's also important to note that messages are saved as new drafts without subject-line and recipient-info. Ideally there will be at most two drafts in the account at a time. When the chat is finished the email account is deleted. Whenever the participants are ready to chat, the participants login to that email account and compose a new email. They will write a message and encrypt it with PGP, then save it as a new draft without subjec...

Uploading files through Secure WebDAV using DAVfs

WebDAV is a protocol that facilitates uploading and downloading files through HTTP (port 80) and HTTPS (port 443). Whenever a WebDAV service is being ran over SSL it is called Secure WebDAV. DAVfs is a file system interface to the WebDAV protocol, it works with WebDAV and Secure WebDAV. The command mount uses DAVfs to recognize a WebDAV share as a regular file system so that other tools, scripts, services, and users can access the share's contents (as a file system with actual directories). Here's an easy solution for uploading files to your WebDAV account. These instructions work on Linux, FreeBSD, Solaris, and probably other distributions too. 1. Make a local directory for transferring files. mkdir <your directory>; 2. Stop other processes and users from interfering with your transfers. chown root:root <your directory> && chmod 770 <your directory>; 3. Mount your online cloud share using davfs. Enter your password when the prompt appears askin...